{
  "threat_severity" : "Moderate",
  "public_date" : "2014-12-15T00:00:00Z",
  "bugzilla" : {
    "description" : "subversion: NULL pointer dereference flaw in mod_dav_svn when handling REPORT requests",
    "id" : "1174054",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1174054"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.", "A NULL pointer dereference flaw was found in the way the mod_dav_svn module handled REPORT requests. A remote, unauthenticated attacker could use a specially crafted REPORT request to crash mod_dav_svn." ],
  "statement" : "Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.",
  "acknowledgement" : "Red Hat would like to thank Subversion project for reporting this issue. Upstream acknowledges Evgeny Kotkov (VisualSVN) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2015-02-10T00:00:00Z",
    "advisory" : "RHSA-2015:0165",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "subversion-0:1.6.11-12.el6_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-02-10T00:00:00Z",
    "advisory" : "RHSA-2015:0166",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "subversion-0:1.7.14-7.el7_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "subversion",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-3580\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3580\nhttp://subversion.apache.org/security/CVE-2014-3580-advisory.txt" ],
  "name" : "CVE-2014-3580",
  "csaw" : false
}